Re: [shara] port randomization (draft-ymbk-aplusp-03)
<pierre.levis@orange-ftgroup.com> Fri, 13 March 2009 08:07 UTC
Return-Path: <pierre.levis@orange-ftgroup.com>
X-Original-To: shara@core3.amsl.com
Delivered-To: shara@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id D36FD3A6A7A for <shara@core3.amsl.com>;
Fri, 13 Mar 2009 01:07:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=0.150,
BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjSK3UV30iPw for
<shara@core3.amsl.com>; Fri, 13 Mar 2009 01:07:52 -0700 (PDT)
Received: from p-mail1.rd.francetelecom.com (p-mail1.rd.francetelecom.com
[195.101.245.15]) by core3.amsl.com (Postfix) with ESMTP id 3197D3A683D for
<shara@ietf.org>; Fri, 13 Mar 2009 01:07:52 -0700 (PDT)
Received: from ftrdmel1.rd.francetelecom.fr ([10.193.117.152]) by
ftrdsmtp1.rd.francetelecom.fr with Microsoft SMTPSVC(6.0.3790.3959);
Fri, 13 Mar 2009 09:08:29 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C9A3B2.E46271FC"
Date: Fri, 13 Mar 2009 09:08:28 +0100
Message-ID: <D109C8C97C15294495117745780657AE0B6BEB6B@ftrdmel1>
In-Reply-To: <49B9752B.8030407@go6.si>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [shara] port randomization (draft-ymbk-aplusp-03)
Thread-Index: AcmjU/ZEmb3qlvYnTTKBiHhnaV4e6wAWlQrg
References: <022a01c9a2ab$fd5abf60$fd736b80@cisco.com><49B91C8B.5010906@go6.si><04a201c9a338$d5ce8f70$fd736b80@cisco.com>
<49B9752B.8030407@go6.si>
From: <pierre.levis@orange-ftgroup.com>
To: <jan@go6.si>, <shara@ietf.org>
X-OriginalArrivalTime: 13 Mar 2009 08:08:29.0171 (UTC)
FILETIME=[E49C1430:01C9A3B2]
Subject: Re: [shara] port randomization (draft-ymbk-aplusp-03)
X-BeenThere: shara@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Sharing of an IPv4 Address discussion list <shara.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/shara>
List-Post: <mailto:shara@ietf.org>
List-Help: <mailto:shara-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/shara>,
<mailto:shara-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2009 08:07:59 -0000
This is a good question. I'm also wondering, currently how many OSs and how many NATs do implement a good randomization function? More generally, in port range solutions we (I include myself) propose sophisticated functions that surely make sense. However, I do believe that, if we want to see vendors rapidly implement port range capabilities, we have to agree on a minimum set of functionalities that makes it possible to build a viable port range solution. I'm very convinced, for example, that it is straighforward (I mean almost no cost and without any performance lost) for all vendors to upgrade their routers to PRRs (Port Range Router), we did that on Linux only by configuration. Pierre ________________________________ De : shara-bounces@ietf.org [mailto:shara-bounces@ietf.org] De la part de Jan Zorz @ go6.si Envoyé : jeudi 12 mars 2009 21:49 À : shara@ietf.org Objet : Re: [shara] port randomization (draft-ymbk-aplusp-03) Dan Wing wrote: How important is port randomization and how big is the impact in real life, Over the last 10 years there have been several attacks against TCP and DNS that have exploited predictable emphemeral ports. The industry response to those attacks has been to (a) randomize ephemeral port selection (rather than incrementing to the next port number) and (b) increase the ephemeral port range used by the OS. See http://tools.ietf.org/html/draft-ietf-tsvwg-port-randomization-02#section-1 for more detailed answer to your question. Dan, hi. I'm well aware of that draft, it is also referenced in in A+P draft. Maybe I was not clear enough in my question, let me re-phrase it. In shared IP solutions we are taking away ports from customers, we are taking away resources and everything is a compromise. Being said that, if we are happy with compromise, why not introduce compromise also in a dirty hack as port randomization is. So, can we live with randomization within for example range of 512 ports? Is this "good enough"? We are quite fond of accepting the compromise of shared IP as "good enough", because we have no other option, so can we accept also the compromise of less randomness in port randomization hack? I'm also curious to hear some aproximation from any HW vendor, what does allocating "one port per request" means for PRR in larger scale. I suspect this might very well be performance suicide, but this is only my speculation. If not - good, we can go in that direction, which I recognise as good also in several other ways. Thank you for your time and effort, Jan Zorz
- [shara] port randomization (draft-ymbk-aplusp-03) Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Randy Bush
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
- Re: [shara] port randomization (draft-ymbk-aplusp… Lars Eggert
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Denis-Courmont
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
- Re: [shara] port randomization (draft-ymbk-aplusp… Rémi Després
- Re: [shara] port randomization (draft-ymbk-aplusp… teemu.savolainen
- Re: [shara] port randomization (draft-ymbk-aplusp… MILES DAVID
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Gabor.Bajko
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… Dan Wing
- Re: [shara] port randomization (draft-ymbk-aplusp… pierre.levis
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair
- Re: [shara] port randomization (draft-ymbk-aplusp… Jan Zorz @ go6.si
- Re: [shara] port randomization (draft-ymbk-aplusp… mohamed.boucadair